Users can view unauthorised data via the sub-process form prefilled values #1563

theo-ritense · 2024-09-20T11:30:26Z

Sensitive data can be leaked via the form prefill when starting a new process from an unauthorised case.
This is the specific vulnerable endpoint:

/api/v1/process-definition/{processDefinitionId}/start-form?documentId={documentId}

Affected versions: Tested on next-minor (12.3.0), but presumably from > 11.0.0 onwards where PBAC was introduced.

Reproduction path on next-minor (local app/gzac instance):

Login as admin
create a case for leningen with an amount > 20000
copy the url
login as user
Navigate to the copied URL
Notice some errors while the button to start a sub-process is still available
Start a sub-process Lening aanvragen
Notice the form is prefilled with values the user should not have access to

The text was updated successfully, but these errors were encountered:

theo-ritense changed the title ~~Users can view unauthorised data via the sub-process form prefilled values~~ Users can view and edit unauthorised data via the sub-process form prefilled values Sep 20, 2024

theo-ritense changed the title ~~Users can view and edit unauthorised data via the sub-process form prefilled values~~ Users can view unauthorised data via the sub-process form prefilled values Sep 20, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Users can view unauthorised data via the sub-process form prefilled values #1563

Users can view unauthorised data via the sub-process form prefilled values #1563

theo-ritense commented Sep 20, 2024 •

edited

Loading

Users can view unauthorised data via the sub-process form prefilled values #1563

Users can view unauthorised data via the sub-process form prefilled values #1563

Comments

theo-ritense commented Sep 20, 2024 • edited Loading

theo-ritense commented Sep 20, 2024 •

edited

Loading